Method and system for supporting security and information for proximity based service in mobile communication system environment

ABSTRACT

A method for acquiring security related information for Proximity based security (Prose) search and prose communication by User Equipment (UE) in a mobile communication network is provided. A security communication method for UE for prose includes transmitting an attach request to an evolved Node B (eNB), receiving an attach response that includes security related information for the prose from the eNB, and performing device-to-device communication using the security related information.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a continuation application of prior application Ser.No. 15/025,800, filed on Mar. 29, 2016, which is an Internationalapplication number PCT/KR2014/009593, filed on Oct. 13, 2014, which willbe issued as U.S. Pat. No. 10,560,843 on Feb. 11, 2020, and was based onand claimed priority under 35 U.S.C § 119(a) of a Korean patentapplication number 10-2013-0121428, filed on Oct. 11, 2013, a Koreanpatent application number 10-2013-0133179, filed on Nov. 4, 2013, and aKorean patent application number 10-2014-0053645, filed on May 2, 2014,in the Korean Intellectual Property Office, the disclosure of each ofwhich is incorporated by reference herein in its entirety.

DESCRIPTION Technical Field

The present invention relates to a method for acquiring security relatedinformation for Proximity based security (Prose) search and prosecommunication by User Equipment (UE) in a mobile communication network.

Background Art

Currently, in performing device-to-device communication in acommunication system structure in the related art, there is not enoughdiscussion on systems and schemes for security setting and managementfor device-to-device communication due to vulnerability according tosecurity exposure of UE related information and other operationaldifficulties. Accordingly, the current device-to-device communicationmay cause problems of security vulnerability or inefficiency inperforming the communication.

DISCLOSURE OF INVENTION Technical Problem

The present invention has been made in order to solve the aboveproblems, and an aspect of the present invention relates to Proximitybased service (Prose) discovery and prose communication in performingdevice-to-device communication, and provides a method and a system thatmake it possible to perform safe communication in security throughapplication of related information for the prose and schemes forsecurity setting.

Solution to Problem

The present invention relates to schemes that make it possible toperform device-to-device communication in an evolved mobilecommunication system including 3GPP EPS and schemes for security settingand management in the device-to-device communication.

A device that intends to perform device-to-device communication throughthe present invention may acquire security information for performingthe device-to-device communication, and may set security for performingthe device-to-device communication.

In one aspect of the present invention, a security communication methodfor User Equipment (UE) for Proximity based services (Prose) includes:transmitting an attach request to an evolved Node B (eNB); receiving anattach response that includes security related information for the prosefrom the eNB; and performing device-to-device communication using thesecurity related information.

In another aspect of the present invention, User Equipment (UE)configured to perform security communication in a network that providesProximity based services (Prose) includes: a communication unitperforming data communication with an evolved Node B (eNB); and acontrol unit transmitting an attach request to the eNB, receiving anattach response that includes security related information for the prosefrom the eNB, and controlling the communication unit to performdevice-to-device communication using the security related information.

Advantageous Effects of Invention

In accordance with the present invention, In an environment, such as anEvolved Universal Terrestrial Radio Access Network (EUTRAN), a UniversalTerrestrial Radio Access Network (UTRAN), or a GSM/EDGE Radio AccessNetwork (GERAN), the device receives prose related capability for theprose discovery and the prose communication, a prose available PLMNlist, and a security key for setting prose related security, and thuscommunication efficiency and security can be strengthened in the prosediscovery and the prose communication.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram illustrating an example of a network structure towhich the present invention is applied;

FIG. 2 is a diagram illustrating another example of a network structureto which the present invention is applied;

FIGS. 3A and 3B are flowcharts illustrating a security communicationmethod that acquires security related information from a UE registrationprocess according to an embodiment of the present invention;

FIGS. 4A and 4B are flowcharts illustrating a security communicationmethod that acquires security related information from a proseregistration process according to an embodiment of the presentinvention;

FIGS. 5A and 5B are flowcharts illustrating a security communicationmethod that acquires security related information from a separateprocedure according to an embodiment of the present invention;

FIG. 6 is a block diagram illustrating the configuration of UE thatperforms an operation according to the present invention;

FIG. 7 is a diagram illustrating an example of a network structure towhich another embodiment of the present invention is applied;

FIGS. 8A, 8B, 9A, and 9B are flowcharts illustrating a securitycommunication method according to another embodiment of the presentinvention;

FIG. 10 is a flowchart illustrating a key generation method for securitycommunication according to another embodiment of the present invention;and

FIGS. 11 and 12 are flowcharts illustrating a key management method forsecurity communication according to another embodiment of the presentinvention.

MODE FOR THE INVENTION

Hereinafter, the operational principle according to preferredembodiments of the present invention will be described in detail withreference to the accompanying drawings. In describing the presentinvention, well-known functions or constructions incorporated herein arenot described in detail since they would obscure the subject matter ofthe present invention in unnecessary detail. Further, all terms used inthe description are defined in consideration of their functions in thepresent invention, but may differ depending on intentions of a user andan operator or customs. Accordingly, they should be defined on the basisof the contents of the whole description of the present disclosure.

The present invention relates to a system that enables a device toperform a communication function, and in this case, the device mayinclude various devices, such as mobile communication terminals in therelated art, machine type communication devices, consumer devices, andvending machines. The subject matter of the present invention is toprovide a method for transferring and managing related information andperforming communication in a safe environment so that various devicesoperate as User Equipments (UE) to perform Device-to-Device (D2D)discovery and D2D communication.

Hereinafter, in describing the present invention in detail, 3GPP basedEPS system, UTRAN, and GERAN are assumed, but are not limited thereto.The present invention may also be applied to other mobile systems.

On the other hand, when the UE receives related information or performssecurity setting in performing the D2D communication, variousmodifications may be made within a range that does not deviate from thescope of the present invention.

On the other hand, the present invention relates to a management methodthat can make it possible to transfer related information and to performsafe communication through security setting when various devicesincluding a communication UE intend to perform D2D communication inEUTRAN or 3GPP environment. This method can be applied to other mobilecommunication systems having a similar technical background and channeltype, network architecture, a similar protocol, or a different protocolthat performs similar operation, according to the judgment of a personskilled in the art to which the present invention pertains.

FIG. 1 is a diagram illustrating an example of a network structure towhich the present invention is applied.

Specifically, FIG. 1 is a block diagram illustrating a home routing casein a network environment for security setting and communication forprose discovery or prose communication. The network structureillustrated in FIG. 1 is based on a 3GPP EPS system, and hereinafter,the features of the present invention will be described around theEUTRAN. However, the present invention can be used even in other similarmobile communication systems.

Referring to FIG. 1, User Equipment (UE) 111 and 131 may include variousdevices, such as mobile communication UE in the related art, devicesthat perform machine type communication, consumer devices, and vendingmachines.

FIG. 1 illustrates a home network H1 and a visited network V1 inconsideration of a roaming environment. This network structure mayprovide an environment in which UE 1 111 and UE 2 131, which performprose discovery and prose communication, may perform differentoperations depending on whether they are in the same coverage coverage1or in different coverage coverage2. UE 1 111 may perform general EUTRANcommunication through an evolved Node B (eNB) 114 and a MobileManagement entity (MME) 116, and may perform data communication througha serving gateway 118, and a PDN gateway 119. In the case of homerouting as illustrated in FIG. 1, UE 1 111 performs data communicationthrough the PDN gateway 119 in the home network H1.

On the other hand, in a network to which the present invention isapplied, a prose function server 127 that performs prose relatedinformation exists to perform the prose function. The prose functionserver 127 verifies registration of prose related functions, transfer ofrelated information, and prose related capability of the UE 111 and 131.

Home Subscriber Server (HSS) 121 transfers subscription information ofthe UE 111 and 131 and UE related security key information to the prosefunction server 127. The prose performs the prose function through anapplication server 125, and the application server 125 performs a proserelated data service in association with a Policy and Charging RulesFunction (PCRF) 123 in order to perform prose application.

According to the present invention, entities, such as the device or UE111 and 131, the eNB 114, the MME 116, the prose function server 127,the HSS 121, and the application server 125, provide securitycommunication setting and performing methods that make it possible toperform proximity based service, prose discovery, and prosecommunication on the basis of protocols used in the mobile communicationand Internet communication. Hereinafter, the detailed contents thereofwill be described with reference to FIGS. 3A and 3B.

FIG. 2 is a diagram illustrating another example of a network structureto which the present invention is applied. Specifically, FIG. 2 is ablock diagram illustrating a local breakout case in an environment forsecurity setting of the prose discovery and the prose communication andfor the prose communication. As compared with the network structure ofFIG. 1, in the network structure of FIG. 2, a PDN gateway 220 and anapplication server 226 exist in a visited network V1, and a HPCRF 223and a visited PCRF (vPCRF) 224 are additionally provided.

FIGS. 3A and 3B are flowcharts illustrating a security communicationmethod according to an embodiment of the present invention.Specifically, FIGS. 3A and 3B illustrate security setting for the prosediscovery and the prose communication and a security communicationprocedure according to an embodiment of the present invention. In anembodiment of FIGS. 3A and 3B, the UE acquires a security key for theprose discovery and the prose communication and security setting relatedinformation in a registration process.

At operation 301, the UE 1 performs a registration procedure throughtransmission of an attach request message to the eNB. At operation 303,the eNB transfers the attach request message that is transmitted by theUE 1 to the MME.

At operation 305, the MME transmits an authentication data requestmessage to the HSS. Thereafter, at operation 307, the HSS transmitssecurity related information that includes an authentication vector andthe like to the MME.

At operation 309, the MME transmits a user authentication requestmessage that includes a UE Authentication Token (AUTN) to the UE 1. Atoperation 311, the UE 1 transmits a Response Security value (RES) to theMME together with a user authentication response message.

At operation 313, the MME transmits a NAS SMC message to the UE 1. Atoperation 315, the UE 1 transmits a security mode complete message tothe MME.

At operation 317, the MME transmits an Access Stratum (AS) security modecommand message to the eNB. At operation 319, the eNB transfers the ASsecurity mode command message to the UE 1. At operation 321, the UE 1transmits an AS security mode complete message to the eNB.

At operation 323, the MME transmits an update location request messageto the HSS. At operation 325, the HSS transmits subscription data to theMME. In this case, the HSS also transfers information, such as a proseidentity for performing the prose service, prose related capacity of theUE 1, a proximity related security key, and a prose PLMN list, to theMME. The proximity related security key is a security key for proximitydiscovery or proximity communication, and in an embodiment, it may be agroup key.

At operation 327, the MME transmits an attach accept message to the eNB,and at operation 329, the eNB transfers the attach accept message to theUE 1. At operation 327 and operation 329, information, such as a proseidentity for performing a prose service that is transferred from the HSSat operation 325, a prose related capacity of the UE, a proximityrelated security key, and a prose PLMN list, may also be transferred.

At operation 341, the UE 1 transmits a prose registration requestmessage to the prose function. In this process, a public key of the UE 1to be used when the UE 1 performs communication with another UE may betransmitted to the prose function. The transmitted public key of the UE1 is stored in the prose function. The UE 1 may receive its own publickey from a key authentication center or may transmit a request messageto the prose function so that the prose function receives the public keyof the UE 1 from the key authentication center. The prose registrationrequest message may include prose function Identity (ID) information.

At operation 343, the prose function transmits the prose registrationrequest message to the HSS. The prose registration request message mayinclude prose function Identity (ID) information. The prose function IDmay be transmitted from the prose function to the HSS through a messageor may be transmitted from the UE to the HSS. Thereafter, as illustratedin FIG. 11, the HSS may generate a prose key.

At operation 345, the HSS transmits a prose authentication vector to theprose function.

At operation 347, the prose function transmits a prose authenticationtoken to the UE 1. At operation 349, the UE 1 and the prose functionperform IPsec setting. As illustrated in FIG. 11, the UE 1 may generatethe prose key.

At operation 353, the UE 1 transmits a message that includes a responsevalue to the authentication token received from the prose function forprose registration to the prose function. At operation 355, the prosefunction compares and verifies RES and XRES information. At operation357, the prose function transmits a prose registration response messageto the UE 1, and at this time, a security key for protectingcommunication between the prose function and the UE 1 and an integritykey are transmitted. If there are several other UEs that can communicatewith the UE 1, the UE 1 may receive a public key of another UE from theprose function. That is, the prose function may transmit the public keyof another UE to the registered UE (e.g., UE 1).

FIGS. 4A and 4B are flowcharts illustrating a security communicationmethod according to an embodiment of the present invention.Specifically, FIGS. 4A and 4B illustrate security setting for the prosediscovery and the prose communication and a security communicationprocedure according to an embodiment of the present invention. In anembodiment of FIGS. 4A and 4B, the UE acquires a security key for theprose discovery and the prose communication and security setting relatedinformation in a proximity based service registration process forperforming prose registration.

At operation 401, the UE 1 performs a registration procedure throughtransmission of an attach request message to the eNB. At operation 403,the eNB transfers the attach request message that is transmitted by theUE 1 to the MME.

At operation 405, the MME transmits an authentication data requestmessage to the HSS. Thereafter, at operation 407, the HSS transmitssecurity related information that includes an authentication vector andthe like to the MME.

At operation 409, the MME transmits a user authentication requestmessage that includes a UE Authentication Token (AUTN) to the UE 1. Atoperation 411, the UE 1 transmits a Response Security value (RES) to theMME together with a user authentication response message.

At operation 413, the MME transmits a Non-Access Stratum SecurityCommand (NAS SMC) message to the UE 1. At operation 415, the UE 1transmits a security mode complete message to the MME.

At operation 417, the MME transmits an Access Stratum (AS) security modecommand message to the eNB. At operation 419, the eNB transfers the ASsecurity mode command message to the UE 1. At operation 421, the UE 1transmits an AS security mode complete message to the eNB.

At operation 423, the MME transmits an update location request messageto the HSS. At operation 425, the HSS transmits subscription data to theMME.

At operation 427, the MME transmits an attach accept message to the eNB,and at operation 429, the eNB transfers the attach accept message to theUE 1.

At operation 441, the UE 1 transmits a prose registration requestmessage to the prose function. In this process, a public key of the UE 1to be used when the UE 1 performs communication with another UE may betransmitted to the prose function. The transmitted public key of the UE1 is stored in the prose function. The UE 1 may receive its own publickey from a key authentication center or may transmit a request messageto the prose function so that the prose function receives the public keyof the UE 1 from the key authentication center. The prose registrationrequest message may include prose function Identity (ID) information.

At operation 443, the prose function transmits the prose registrationrequest message to the HSS. The prose registration request message mayinclude prose function Identity (ID) information. The prose function IDmay be transmitted from the prose function to the HSS through a messageor may be transmitted from the UE to the HSS. Thereafter, as illustratedin FIG. 11, the HSS may generate a prose key.

At operation 445, the HSS transmits a prose authentication vector to theprose function.

At operation 447, the prose function transmits a prose authenticationtoken to the UE 1. At operation 449, the UE 1 and the prose functionperform IPsec setting. As illustrated in FIG. 11, the UE may generatethe prose key.

At operation 453, the UE 1 transmits a message that includes a responsevalue to the authentication token received from the prose function forprose registration to the prose function. At operation 455, the prosefunction compares and verifies RES and XRES information. At operation457, the prose function transmits a prose registration response messageto the UE 1. At this time, the prose function also transmits a securitykey for protecting communication between the prose function and the UE 1and an integrity key. Further, the prose function also transfersinformation, such as a prose identity for performing the prose service,prose related capacity of the UE 1, a proximity related security key,and a prose PLMN list. The proximity related security key is a securitykey for proximity discovery or proximity communication, and as anexample, it may be a group key. If there are several other UEs that cancommunicate with the UE 1, the UE 1 may receive a public key of anotherUE from the prose function. That is, the prose function may transmit thepublic key of another UE to the registered UE (e.g., UE 1).

FIGS. 5A and 5B are flowcharts illustrating a security communicationmethod according to an embodiment of the present invention.Specifically, FIGS. 5A and 5B illustrate security setting for the prosediscovery and the prose communication and a security communicationprocedure. In an embodiment of FIGS. 5A and 5B, a security key for theprose discovery and the prose communication and security setting relatedinformation are acquired through a separate procedure after the UEregistration and prose registration are completed.

At operation 501, the UE 1 performs a registration procedure throughtransmission of an attach request message to the eNB. At operation 503,the eNB transfers the attach request message that is transmitted by theUE 1 to the MME.

At operation 505, the MME transmits an authentication data requestmessage to the HSS. Thereafter, at operation 507, the HSS transmitssecurity related information that includes an authentication vector andthe like to the MME.

At operation 509, the MME transmits a user authentication requestmessage that includes a UE Authentication Token (AUTN) to the UE 1. Atoperation 511, the UE 1 transmits a Response Security value (RES) to theMME together with a user authentication response message.

At operation 513, the MME transmits a Non-Access Stratum SecurityCommand (NAS SMC) message to the UE 1. At operation 515, the UE 1transmits a security mode complete message to the MME.

At operation 517, the MME transmits an Access Stratum (AS) security modecommand message to the eNB. At operation 519, the eNB transfers the ASsecurity mode command message to the UE 1. At operation 521, the UE 1transmits an AS security mode complete message to the eNB.

At operation 523, the MME transmits an update location request messageto the HSS. At operation 525, the HSS transmits subscription data to theMME.

At operation 527, the MME transmits an attach accept message to the eNB,and at operation 529, the eNB transfers the attach accept message to theUE 1.

At operation 541, the UE 1 transmits a prose registration requestmessage to the prose function. In this process, a public key of the UE 1to be used when the UE 1 performs communication with another UE may betransmitted to the prose function. The transmitted public key of the UE1 is stored in the prose function. The UE 1 may receive its own publickey from a key authentication center or may transmit a request messageto the prose function so that the prose function receives the public keyof the UE 1 from the key authentication center. The prose registrationrequest message may include prose function Identity (ID) information.

At operation 543, the prose function transmits the prose registrationrequest message to the HSS. The prose registration request message mayinclude prose function Identity (ID) information. The prose function IDmay be transmitted from the prose function to the HSS through a messageor may be transmitted from the UE to the HSS. Thereafter, as illustratedin FIG. 11, the HSS may generate a prose key.

At operation 545, the HSS transmits a prose authentication vector to theprose function.

At operation 547, the prose function transmits a prose authenticationtoken to the UE 1. At operation 549, the UE 1 and the prose functionperform IPsec setting. As illustrated in FIG. 11, the UE may generatethe prose key.

At operation 553, the UE 1 transmits a message that includes a responsevalue to the authentication token received from the prose function forprose registration to the prose function. At operation 555, the prosefunction compares and verifies RES and XRES information. At operation557, the prose function transmits a prose registration response messageto the UE 1, and at this time, a security key for protectingcommunication between the prose function and the UE 1 and an integritykey are transmitted.

Further, at operation 559, the prose function transfers at least one ofa prose identity for performing the prose service, prose relatedcapacity of the UE 1, a proximity related security key, and a prose PLMNlist to the UE 1. The operation 559 may be performed through thecommunication between the UE 1 in which security such as integrityprotect is performed and the prose function. The proximity relatedsecurity key is a security key for proximity discovery or proximitycommunication, and as an example, it may be a group key.

If there are several other UEs that can communicate with the UE 1, theUE 1 may receive a public key of another UE from the prose function.That is, the prose function may transmit the public key of another UE tothe registered UE (e.g., UE 1).

At operation 561, in response to this, the UE 1 transmits a responsemessage to the prose parameter transmission to the prose function.

FIG. 6 is a block diagram illustrating the configuration of UE thatperforms an operation according to the present invention.

Referring to FIG. 6, the UE 600 may include a communication unit 610, acontrol unit 620, and a storage unit 630.

The communication unit 610 performs data communication with the eNB, theMME, the prose function, or the HSS under the control of the controlunit 620.

The control unit 620 controls other constituent elements, such as thecommunication unit 610 and the storage unit 630, to perform theabove-described operations according to the present invention.

The storage unit 630 temporarily or permanently store the securityrelated information that is acquired by the control unit 620.

FIG. 7 is a diagram illustrating an example of a network structure towhich another embodiment of the present invention is applied. Thenetwork structure illustrated in FIG. 7 is based on a 3GPP EPS system,and hereinafter, the features of the present invention will be describedaround the EUTRAN. However, the present invention can be used even inother similar mobile communication systems.

Referring to FIG. 7, User Equipment (UE) 1111 and 1131 may includevarious devices, such as mobile communication UE in the related art,devices that perform machine type communication, and consumer devices.

The network structure illustrated in FIG. 7 may provide an environmentin which UE 1 1111 and UE 2 1131 perform prose discovery and prosecommunication. UE 1 1111 may perform general EUTRAN communicationthrough an eNB 1114 and an MME 1116, and may perform data communicationthrough a serving gateway 1118, and a PDN gateway 1119. On the otherhand, in a network to which the present invention is applied, a prosefunction server 1127 that performs prose related information exists toperform the prose function. The prose function server 1127 verifiesregistration of a prose related functions, transfer of relatedinformation, and prose related capability of the UE 1111 and 1131, andperforms prose authentication.

HSS 1121 transfers subscription information of the UE 1111 and 1131 andUE related security key information to the prose function server 1127.The prose performs a prose application server function through anapplication server 1125, and the application server 1125 performs aprose related data service in association with a Policy and ChargingRules Function (PCRF) 1123-1 in order to perform prose application.

According to the present invention, entities, such as the device or UE1111 and 1131, the eNB 1114, the MME 1116, the prose function server1127, the HSS 1121, and the application server 1125, provide securitycommunication setting and performing methods that make it possible toperform proximity based service, prose discovery, and prosecommunication on the basis of protocols used in the mobile communicationand Internet communication. Hereinafter, the detailed contents thereofwill be described.

FIGS. 8A and 8B are flowcharts illustrating a security communicationmethod according to another embodiment of the present invention.Specifically, FIGS. 8A and 8B illustrate an authentication method forthe prose discovery and the prose communication and a security keysetting method using a key obtained by deriving security key settingrelated information through the prose function server.

At operation 1201, the UE performs a registration procedure throughtransmission of an attach request message to the eNB. At operation 1203,the eNB transfers the attach request message that is transmitted by theUE to the MME.

At operation 1205, the MME transmits an authentication data requestmessage to the HSS, and the HSS transmits security related informationthat includes an authentication vector and the like to the MME.

At operation 1207, the MME transmits a user authentication requestmessage that includes an Authentication Token (AUTN) to the UE, and theUE transmits a Response Security value (RES) to the MME together with auser authentication response message.

At operation 1208, the UE performs a NAS Security Mode Command (SMC)with the MME, and thereafter the MME, the eNB, and the UE perform AS SMCprocesses.

At operation 1209, the MME transmits an update location request messageto the HSS. At operation 1211, the HSS transmits subscription data tothe MME. In this case, the HSS also transfers information, such as aprose identity for performing the prose service, a prose group identity,a prose related capacity of the UE, a proximity related security key ifthere are the registered prose identity and security key, and a prosePLMN list, to the MME. The proximity related security key is a securitykey for proximity discovery or proximity communication. If there existsalready registered information on the proximity related security key,the HSS inquires and transfers the registered information to the MME,whereas if there does not exist the registered information, the HSSperforms subsequent authentication and then generates the proximityrelated security key.

At operation 1213, the MME transmits an attach accept message to theeNB, and at operation 1215, the eNB transfers the attach accept messageto the UE. At operation 1213 and operation 1215, information, such as aprose identity for performing a prose service that is transferred fromthe HSS at operation 1211, a prose related capacity of the UE, aproximity related security key, a prose group key, a prose groupidentity, and a prose PLMN list, may also be transferred.

At operation 1217, the UE transmits a prose registration request messageto the prose function. In this process, a public key of the UE to beused when the UE performs communication with another UE may betransmitted to the prose function. The transmitted public key of the UEis stored in the prose function. The UE may receive its own public keyfrom a key authentication center or may transmit a request message tothe prose function so that the prose function receives the public key ofthe UE from the key authentication center. Such a prose registrationrequest message may include prose function Identity (ID) information.

At operation 1218, the prose function transmits the prose registrationrequest message to the HSS. The prose registration request message mayinclude prose function Identity (ID) information. The prose function IDmay be transmitted from the prose function to the HSS through a messageor may be transmitted from the UE to the HSS. Thereafter, as illustratedin FIG. 11, the HSS may generate a prose key. Thereafter, the HSStransmits a prose authentication vector to the prose function. Theauthentication vector may include a Cipher Key (hereinafter, referred toas “CK”) and an Integrity Key (hereinafter, referred to as “IK”).Further, the authentication vector may include the generated prose key.In an embodiment, the HSS may separately transmit the prose key to theprose function regardless of the pros authentication vector.

At operation 1219, the prose function transmits a prose authenticationtoken to the UE. At operation 1220, the UE and the prose functionperform IPsec setting. As illustrated in FIG. 11, the UE may generatethe prose key.

At operation 1221, the UE transmits a message that includes a responsevalue to the authentication token received from the prose function forthe prose registration to the prose function. At operation 1223, theprose function compares and verifies RES and XRES information. Atoperation 1223, the prose function transmits a prose registrationresponse message to the UE, and at this time, a security key forprotecting the communication between the prose function and the UE, anintegrity key to protect the communication between the UE and anapplication server, and an encryption key seed are also transmitted. Ifthere are several other UEs that can communicate with the UE 1, the UE 1may receive public keys of the other UEs from the prose function. Thatis, the prose function may transmit the public keys of the other UEs tothe registered UE (e.g., UE 1).

At operation 1225, the UE transfers a request for connecting to theapplication server to the prose function, and at operation 1226, theprose function requests information on the application server from theHSS. At operation 1227, the HSS transfers application server relatedinformation to the prose function. The application server relatedinformation may include information on an IP address for connecting tothe application server. In another embodiment of the present invention,the operation 1225 to operation 1226 may be omitted.

At operation 1231-1, the UE may generate the prose key for the prosecommunication, and the prose key is used to perform communicationbetween the UE and the application. The prose key may be generated fromthe IK and the CK or may be generated using K_(ASME).

At operation 1231-3, the prose function may generate the prose key fromthe IK and the CK, and may generate the prose key from the K_(ASME). Inthe case of generating the prose key from the IK and the CK, the valuethat is transferred from the HSS may be used, whereas in the case ofgenerating the prose key from the K_(ASME), the K_(ASME) may be providedfrom the MME or a structure in which the prose function and the MME arecombined with each other. At operation 1234, the prose function updatesthe changed prose security key information in the HSS.

At operation 1235, the prose function may transfer the prose key andrelated information that the UE has registered for the prose service inthe prose function in the registration process to the applicationserver. Further, seed information for the integrity key and theencryption key may also be transferred. At operation 1237, at least onepiece of information, such as the prose key, the integration key seed,and the encryption key seed, may be stored. Thereafter, at operation1239, the UE and the application server perform communication using theprose key and the prose identity. On the other hand, like operation1241, the UE and another UE may perform communication using the prosekey or the prose Identity (ID).

FIGS. 9A and 9B are flowcharts illustrating a security communicationmethod according to another embodiment of the present invention.Specifically, FIGS. 9A and 9B are message flow charts illustrating acommunication and security procedure for authentication and security ofthe prose discovery and the prose communication according to anembodiment of the present invention.

At operation 1301, the UE performs a registration procedure throughtransmission of an attach request message to the eNB. At operation 1303,the eNB transfers the attach request message that is transmitted by theUE to the MME.

At operation 1305, the MME transmits an authentication data requestmessage to the HSS, and the HSS transmits security related informationthat includes an authentication vector and the like to the MME.

At operation 1307, the MME transmits a user authentication requestmessage that includes an Authentication Token (AUTN) to the UE, and theUE transmits a Response Security value (RES) to the MME together with auser authentication response message.

At operation 1308, the UE performs a NAS Security Mode Command (SMC)with the MME, and thereafter, the MME, the eNB, and the UE perform ASSMC processes.

At operation 1309, the MME transmits an update location request messageto the HSS. At operation 1311, the HSS transmits subscription data tothe MME. In this case, the HSS also transfers information, such as aprose identity for performing the prose service, a prose group identity,a prose related capacity of the UE, a proximity related security key ifthere are the registered prose identity and security key, and a prosePLMN list, to the MME. The proximity related security key is a securitykey for proximity discovery or proximity communication. If there existsalready registered information on the proximity related security key,the HSS inquires and informs the registered information, whereas ifthere does not exist the registered information, the HSS performssubsequent authentication and then generates the proximity relatedsecurity key.

At operation 1313, the MME transmits an attach accept message to theeNB, and at operation 1315, the eNB transfers the attach accept messageto the UE. At operation 1313 and operation 1315, information, such as aprose identity for performing a prose service that is transferred fromthe HSS at operation 1311, a prose related capacity of the UE, aproximity related security key, a prose group key, a prose groupidentity, and a prose PLMN list, may also be transferred.

At operation 1317, the UE transmits an access request message to anapplication server, and the application server performs triggering sothat the UE passes through an authentication and bootstrapping process.

At operation 1319, the UE transmits a registration request message tothe prose function. In this process, a public key of the UE to be usedwhen the UE performs communication with another UE may be transmitted tothe prose function. The transmitted public key of the UE is stored inthe prose function. The UE may receive its own public key from a keyauthentication center or may transmit a request message to the prosefunction so that the prose function receives the public key of the UEfrom the key authentication center. Such a prose registration requestmessage may include prose function Identity (ID) information.

At operation 1320, the prose function transmits the prose registrationrequest message to the HSS. The prose registration request message mayinclude prose function Identity (ID) information. The prose function IDmay be transmitted from the prose function to the HSS through a messageor may be transmitted from the UE to the HSS. Thereafter, as illustratedin FIG. 11, the HSS may generate a prose key. Thereafter, the HSStransmits a prose authentication vector to the prose function. Theauthentication vector may include a Cipher Key (hereinafter, referred toas “CK”) and an Integrity Key (hereinafter, referred to as “IK”).Further, the authentication vector may include the generated prose key.The HSS may separately transmit the prose key to the prose functionregardless of the pros authentication vector.

At operation 1323, IPsec setting is performed between the UE and theprose function. As illustrated in FIG. 11, the UE may generate the prosekey.

At operation 1325, a message that includes a response value to anauthentication token that is transmitted from the prose function to theUE for the prose registration is transmitted from the UE to the prosefunction, and the prose function compares and verifies RES and XRESinformation.

At operation 1329, a prose registration response message is transmittedfrom the prose function to the UE, and at this time, a security key forprotecting the communication between the prose function and the UE, anintegrity key to protect the communication between the UE and theapplication server, and an encryption key seed are also transmitted.

If there are several other UEs that can communicate with the UE 1, theUE 1 may receive public keys of the other UEs from the prose function.That is, the prose function may transmit the public keys of the otherUEs to the registered UE (e.g., UE 1).

At operation 1331, the UE may generate the prose key for performingprose communication, and the prose key is used to perform communicationbetween the UE and the application. The prose key may be generated fromthe IK and the CK.

At operation 1333, the UE transmits an access request to the applicationserver. At operation 1334, the application server transmits anauthentication request message to the prose function.

At operation 1335, the prose function may generate the prose key fromthe IK and the CK, or may generate the prose key from the K_(ASME). Inthe case of generating the prose key from the IK and the CK, the valuethat is transferred from the HSS may be used, whereas in the case ofgenerating the prose key from the K_(ASME), the K_(ASME) may be providedfrom the MME or a structure in which the prose function and the MME arecombined with each other. At operation 1339, the prose functiontransfers the prose key and related information that is registered forthe prose service to the application server. Further, seed informationfor the integrity key and the encryption key may also be transferred. Atoperation 1341, at least one piece of information, such as the prosekey, the integration key seed, and the encryption key seed, may bestored.

At operation 1343, the application server transmits a response messageto the UE. At operation 1343, the application server generates theintegrity key and the encryption key. At operation 1347, the encryptionkey and the integrity key are generated by the prose key to betransmitted. At operation 1349, the UE decrypts the encryption key andthe integrity key through the prose key.

Thereafter, at operation 1351, the UE and the application server performcommunication using the prose key and the prose identity. On the otherhand, like operation 1353, the UE and another UE may performcommunication using the prose key or the prose Identity (ID).

FIG. 10 is a flowchart illustrating a key generation method for securitycommunication according to another embodiment of the present invention.Specifically, FIG. 10 illustrates key generation and relationship forprose discovery and prose communication security according to anembodiment of the present invention.

A prose function server 9227 may generate and transfer a prose key to aprose application server 9225. Further, an HSS 9221 may generate orinquire the prose key.

In an embodiment (case 1), the application server 9225 may generate akey for protecting a session using the prose key that is received fromthe prose function server, an encryption key for data encryption, or anintegrity key for data integrity. Further, in another embodiment (case2), the application server may generate the encryption key for the dataencryption, or may generate and transfer the integrity key for the dataintegrity to the UE.

The UE 9211 generates the prose key. Further, in still anotherembodiment (case 3), the UE may generate any one of the session key, theintegrity key, and the encryption key. On the other hand, according tostill another embodiment (case 4), the UE may decrypt and use any one ofthe session key, the integrity key, and the encryption key.

FIG. 11 is a flowchart illustrating a key management method for securitycommunication according to another embodiment of the present invention.FIG. 11 relates to an embodiment (case 1 and case 3) of key managementschemes for prose discovery and prose communication security accordingto an embodiment of the present invention.

IK and CK 1503 are an integrity key and a cipher key that are generatedfrom the UE and the HSS. The prose key 1507 may be generated from the IKand the CK.

Prose key=KDF(IK,CK,application server ID,RAND,prose serverID)  [Equation 1]

Equation 1 may be applied in the case where the prose key participatesin the registration of an application.

Prose key=KDF(IK,CK,RAND,prose server ID)  [Equation 2]

Equation 2 may be applied in the case where the prose key participatesin the registration of a prose function. In equation 2, the term “proseserver ID” may mean a prose function ID.

In equation 1 and equation 2, IK denotes an integrity key, CK denotes acipher key, application server ID denotes an identity of an applicationserver, RAND denotes a random number, and prose server ID denotes anidentity of a prose server.

In equation 1 and equation 2, CK∥IK that is the concatenation of IK andCK may be used as the key. Further, the application server ID, the RAND,and the prose server ID may be concatenated to be used. The term “KDF”denotes a key derivation function, and may be, for example, HMAC-SHA256.

As in an embodiment (case 1), the session key, the encryption key, andthe integrity key may be generated from the prose key.

For example, the session key may be generated as in the followingequation 3.

Session key=KDF(CK,IK,session key algorithm ID)  [Equation 3]

Here, IK denotes an integrity key, CK denotes a cipher key, and sessionkey algorithm ID denotes an identity that is used to identify a sessionkey algorithm.

In this case, CK∥IK that is the concatenation of IK and CK may be usedas the key.

Encryption key=KDF(CK,IK,encryption key algorithm ID)  [Equation 4]

Here, IK denotes an integrity key, CK denotes a cipher key, andencryption key algorithm ID denotes an identity that is used to identifyan encryption key algorithm.

In this case, CK∥IK that is the concatenation of IK and CK may be usedas the key.

Integrity key=KDF(CK,IK,integrity key algorithm ID)  [Equation 5]

Here, IK denotes an integrity key, CK denotes a cipher key, andintegrity key algorithm ID denotes an identity that is used to identifyan integrity key algorithm.

In this case, CK∥IK that is the concatenation of IK and CK may be usedas the key.

Further, according to another embodiment (case 2), the applicationserver may protect and transfer the session key, the encryption key, orthe integrity key, which is separately generated, to the UE. The sessionkey, the encryption key, and the integrity key may be generated invarious methods, and in order to protect and transfer the session key,the encryption key, and the integrity key to the UE, the generated prosekey may be used. That is, according to an embodiment (case 2-1), theprose key may protect and transfer the session key, whereas according toanother embodiment (case 2-2), the prose key may be used to protect andtransfer the encryption key and the integrity key. That is, according toan embodiment (case 2-1), the prose key may protect and transfer thesession key, and the UE may decrypt and use the encryption key and theintegrity key again using the transferred session key. Further,according to another embodiment (case 2-2), the prose key may protectand transfer the encryption key and the integrity key, and the UE maydecrypt and use the encryption key and the integrity key.

FIG. 12 is a flowchart illustrating a key management method for securitycommunication according to another embodiment of the present invention.Specifically, FIG. 12 relates to an embodiment (case 2 and case 4) ofkey management schemes for prose discovery and prose communicationsecurity according to an embodiment of the present invention. Themethods of FIGS. 11 and 12 are different from each other on the pointthat in the method of FIG. 11, the prose key is generated from the CKand the IK, whereas in the method of FIG. 12, the prose key is generatedfrom a Key Access Security Management Entity (KASME). In this case, theprose function server may be implemented by various methods. Forexample, the prose function server may be combined with the MME to forma combined structure, or the prose function server may receive the KASMEfrom the MME.

IK and CK 1603 are an integrity key and a cipher key that are generatedfrom the UE and the HSS. The KASME 1605 may be generated from the IK andthe CK. The prose key 1607 may be generated from the KASME.

The prose key may be generated as in the following equation.

Prose key=KDF(K_(ASME),application server ID,RAND,prose serverID)  [Equation 6]

Equation 6 may be applied in the case where the prose key participatesin the registration of an application.

Prose key=KDF(K_(ASME),RAND,prose server ID)  [Equation 7]

Equation 7 may be applied in the case where the prose key participatesin the registration of a prose function. In equation 7, the term “proseserver ID” may mean a prose function ID.

In equation 6 and equation 7, KASME may be generated from the IK, CK, aserving network identity, and a sequence number. An application serverID denotes an identity of an application server, RAND denotes a randomnumber, a prose server ID denotes an identity of a prose server, and KDFdenotes a key derivation function, and may be, for example, HMAC-SHA256.

The application server ID, the RAND, and the prose server ID may beconcatenated to be used.

As in an embodiment (case 2), the session key, the encryption key, andthe integrity key may be generated from the prose key.

For example, the session key may be generated as follows.

Session key=KDF(CK,IK,session key algorithm ID)  [Equation 8]

Here, IK denotes an integrity key, CK denotes a cipher key, and sessionkey algorithm ID denotes an identity that is used to identify a sessionkey algorithm.

Further, CK∥IK that is the concatenation of IK and CK may be used as thekey.

Encryption key=KDF(CK,IK,encryption key algorithm ID)  [Equation 9]

Here, IK denotes an integrity key, CK denotes a cipher key, andencryption key algorithm ID denotes an identity that is used to identifyan encryption key algorithm.

Further, CK∥IK that is the concatenation of IK and CK may be used as thekey.

Integrity key=KDF(CK,IK,integrity key algorithm ID)  [Equation 10]

Here, IK denotes an integrity key, CK denotes a cipher key, andintegrity key algorithm ID denotes an identity that is used to identifyan integrity key algorithm.

In this case, CK∥IK that is the concatenation of IK and CK may be usedas the key.

Further, according to another embodiment (case 4), the applicationserver may protect and transfer the session key, the encryption key, orthe integrity key, which is separately generated, to the UE. The sessionkey, the encryption key, and the integrity key may be generated invarious methods, and in order to protect and transfer the session key,the encryption key, and the integrity key to the UE, the generated prosekey may be used. That is, according to an embodiment (case 4-1), theprose key may protect and transfer the session key, whereas according toanother embodiment (case 4-2), the prose key may be used to protect andtransfer the encryption key and the integrity key. That is, according toan embodiment (case 4-1), the prose key may protect and transfer thesession key, and the UE may decrypt and use the encryption key and theintegrity key again using the transferred session key. Further,according to another embodiment (case 4-2), the prose key may protectand transfer the encryption key and the integrity key, and the UE maydecrypt and use the encryption key and the integrity key.

Meanwhile, preferred embodiments of the present invention disclosed inthis specification and drawings and specific terms used therein areillustrated to present only specific examples in order to clarify thetechnical contents of the present invention and help understanding ofthe present invention, but are not intended to limit the scope of thepresent invention. It will be evident to those skilled in the art thatvarious implementations based on the technical spirit of the presentinvention are possible in addition to the disclosed embodiments.

1. A security communication method for user equipment (UE) for proximitybased services (prose), the security communication method comprising:transmitting, to a prose function, a first message including a publickey of the UE and a prose function identification (ID); receiving, fromthe prose function, a prose authentication token in response to thefirst message; transmitting, to the prose function, a second messageincluding a value determined based on the prose authentication token;receiving, from the prose function, a third message including a prosegroup key (PGK), a PGK ID, and a prose public land mobile network (PLMN)list; generating a prose traffic key (PTK) based on the PGK and a PTKID; deriving a prose encryption key (PEK) based on the PTK; receiving,from the prose function, a public key of another UE communicating withthe UE; and performing a device-to-device (D2D) communication byencrypting data based on the PEK and using the public key of the otherUE.